It’s no secret I’ve been spending some time having fun with ABS,
a programming language with a terse and concise syntax that can simplify working with shell
commands.

A few weeks ago I needed to remove a file from all of Namshi’s private GitHub repositories
and did so with an ABS script.

Let’s get to it!

build.yml

Namshi has been running Docker builds on a tool we open-sourced, Roger,
until we decided to migrate to Google Cloud Build
as it offered a similar service without the need of having to manage the build infrastructure
ourselves — the less we manage, the happier we are.

When you setup a build on Roger, it will infer metadata from a build.yml file
in the root of the repo:

12

redis:# this is the name of your projectregistry:registry.company.com# your private registry, ie. 127.0.0.1:5000

Now, we had pushed this file to all of our internal repositories, and with the migration
to GCB we didn’t need them anymore. Time to flush them all!

The idea

I wanted this to be as quick as possible, without having to go through
sending pull requests to each repository: who would have time to review and approve
all these trivial PRs that would simply remove one, now-useless file?

The script had to do something very simple:

get a list of all of our repositories

try to see if a build.yml exists in the root of the repo

patch master with a new commit that removes the file

Easy peasy, no?

The script

The code is quite straightforward, with the only exception of having to handle pagination
since the GitHub API won’t return us a full list of repos: even with that, it’s simply
a matter of keeping track of a counter and exit the while loop when there are no more
repositories to fetch. The whole functionality is implemented in ~30 lines of code:

On GitHub, each of your repos will have a commit that
removes the file you’re gunning for:

This is an example of where I think ABS truly shines:
the ability to issue system commands (`curl ...`) and parse
the results like a traditional programming language: in this script,
I’ve used response.json() extensively since the GitHub API
returns JSON content, and it becomes extremely simple to turn that
response into an ABS data structure we can work with.

It contains 160+ pages of content dedicated to securing web applications and improving your security awareness when building
web apps, with chapters ranging from explaining how to secure HTTP cookies with the right flags to understanding why it is
important to consider joining a bug bounty program.